UPDATED: Twitter Security Flaw Today – OnMouseOver

A new security flaw has been discovered on Twitter today. It is easy to reproduce, to exploit, to play with. It can cause a user’s account to take actions that the exploiter puts into a specially-crafted tweet, without the user realizing it. For example, causing the Twitter user to be redirected to a different website, any website of the exploiter’s choosing. [UPDATE #2]

The bug only appears to affect the twitter.com website, not third-party apps such as CoTweet, TweetDeck, etc. Therefore, until Twitter fixes this flaw, you might want to avoid the twitter.com website and only use third-party apps to access your Twitter stream.

The bug has to do with the Javascript OnMouseOver parameter. Inserting an OnMouseOver statement into a tweet, using the correct syntax, allows the tweeter to program an action to take place when any other user moves their mouse over the tweet. The user doesn’t need to click on the tweet, they just have to move their mouse over the link in the tweet to have the preprogrammed action executed (and be redirected to another site, or have something else done).

There doesn’t appear to be any word from Twitter yet on their official blog or on their @safety account about this situation or a time estimate on its repair. So be careful until this is fixed.

UPDATE #1: The Twitter @safety account just retweeted the following tweet from the head of Twitter’s Trust and Safety team: “The XSS attack should now be fully patched and no longer exploitable. Thanks, those reporting it.” So hopefully, this bug should now be fixed.

About

The Dustpan is focused on the subject of Twitter spam and Twitter spammers.
It's open to everyone that has an opinion or view on Twitter spam, good or bad.
Click here to read more

Contribute

The Dustpan only works if you get involved.
Tell us all what you think of Twitter Spam, TwitSweeper, and any other Twitter issues.
You can login or register here. It's free and sharing is beneficial to everyone.